Spam attack....

Philip Butler butler at globeserver.com
Fri Jun 20 15:47:33 IST 2008 

Thanks for all of the input so far - I'll try to digest it over the  
weekend.

I would have gotten to it before now, but my 7 year old son broke his  
leg a few days ago.  Life happens......

Phil

On Jun 19, 2008, at 2:12 AM, Scott Silva wrote:

> on 6-18-2008 6:27 PM Philip Butler spake the following:
>> Hi all,
>> This may have been discussed here before, but I am going to throw  
>> it out again...
>> I have set up a few "mailbag" machines for some of my customers to  
>> grab their incoming email and process it for spam.  This then goes  
>> into POP mailboxes and their mail servers then grab the mail.  The  
>> intent is that it be a black-hole for spam and takes some of the  
>> load off of their systems.  A while back, I determined that most  
>> spam (for these customers anyway) was being marked with a spamscore  
>> of about 20, so I set the spam threshold on these mailbag machines  
>> to be 15.
>> These machines run MailScanner (of course), SpamAssassin, and Razor.
>> Everything works fine and transparently most of the time, but  
>> occasionally (i.e. the last few days), email is coming in and  
>> clogging the MailScanner incoming queue.  I havent' measured, but  
>> at times it's around 1 new message per second.  At times there may  
>> be 10-15 thousand messages waiting to be processed.  If left alone,  
>> it doesn't seem to correct itself.  What I have done is transferred  
>> 10k messages or so from the machine that clogs up to another  
>> machine and then they get processed quickly.  This almost seems to  
>> be a DNS-type problem with RBL lookups or something.
>> I have tried to figure out where the messages are coming from, but  
>> I don't see a pattern.  If most messages were coming from a handful  
>> of machines, then I would just put an IP-filter on them and drop  
>> any packets from them.  Unfortunately, I have not seen any pattern  
>> - so I am back to square one.
>> Any ideas as to what I should check, etc. to figure out why these  
>> customers are being excessively spam-bombed.  This seems to happen  
>> maybe once every month or two - then it goes away.
>> Phil
> Have you tried anything like connection rate throttling?
> It is probably a large chain of spambots, and their IP's change  
> fairly frequently. Limiting how many connections that can come from  
> one IP should help some. You can try to collect addresses and  
> blackhole them, but they will probably stop shortly as they go on to  
> their next target.
>
> If you are using sendmail this page could help;
> http://www.technoids.org/dossed.html
> I'm sure there are similar features in Exim or Postfix, but I  
> haven't come over to the "dark side" yet so I don't know their  
> secret incantations.
>
> -- 
> MailScanner is like deodorant...
> You hope everybody uses it, and
> you notice quickly if they don't!!!!
>
> -- 
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
> Before posting, read http://wiki.mailscanner.info/posting
>
> Support MailScanner development - buy the book off the website!

More information about the MailScanner mailing list